Bug 1268126 - system:admin requiring password
Summary: system:admin requiring password
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-01 21:22 UTC by Ryan Howe
Modified: 2016-10-30 22:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-29 20:58:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Ryan Howe 2015-10-01 21:22:48 UTC
Description of problem:
system:admin requiring password when starting fresh with a copied version of admin.kubeconfig

Workaround is to use the -u option the first time. 

Version-Release number of selected component (if applicable):
3.0.2

How reproducible:
100% 

Steps to Reproduce:

[root@master ~]# rm .kube/config
rm: remove regular file ‘.kube/config’? y

[root@master ~]# cp /etc/openshift/master/admin.kubeconfig .kube/config

[root@master ~]# oc login
Authentication required for https://master.lizard.com:8443 (openshift)
Username: system:admin
Password: 
Error from server: Internal error occurred: unexpected response: 500

[root@master ~]# oc login -u system:admin
Logged into "https://master.lizard.com:8443" as "system:admin" using existing credentials.

Using project "default".

You have access to the following projects and can switch between them with 'oc project <projectname>':

  * default (current)
  * openshift
  * openshift-infra


Actual results:
Error from server: Internal error occurred: unexpected response: 500

Expected results:
Logged into "https://master.lizard.com:8443" as "system:admin" using existing credentials.

Additional info:

This only happens when the -u option is not used the first time. 

This was tested with htpasswd auth

Comment 2 Jordan Liggitt 2015-10-01 21:25:54 UTC
To switch to an existing credentials, you must use "-u ...". Will look into preventing the 500 error

Comment 3 Jordan Liggitt 2015-11-12 21:58:04 UTC
Fixed in origin in https://github.com/openshift/origin/pull/5726

Comment 4 Jordan Liggitt 2016-01-13 18:15:27 UTC
Usernames with colons no longer attempt password auth

Comment 5 weiwei jiang 2016-01-14 07:57:07 UTC
checked with devenv-centos7_3136, and still not work

# oc login 
Authentication required for https://172.18.8.193:8443 (openshift)
Username: system:admin
Password: 
error: username system:admin is invalid for basic auth

Comment 6 Jordan Liggitt 2016-01-14 13:31:05 UTC
To switch to an existing credentials, you must use "-u ...". The bug that was fixed was the 500 error encountered if you try to use "system:admin" as a password login.

The "username system:admin is invalid for basic auth" error is working correctly if you attempt to use that username for a password login.

Comment 7 weiwei jiang 2016-01-15 05:47:59 UTC
(In reply to Jordan Liggitt from comment #6)
> To switch to an existing credentials, you must use "-u ...". The bug that
> was fixed was the 500 error encountered if you try to use "system:admin" as
> a password login.
> 
> The "username system:admin is invalid for basic auth" error is working
> correctly if you attempt to use that username for a password login.

If so should be verified.

Comment 8 Salvatore Provvidenza 2016-01-22 11:42:43 UTC
Hy guys, i have the same problem whit the last version of origin (openshift-origin-server-v1.1.1)

when i run this command : 

oc login localhost:8443 -usystem:admin

openshift requires password. I need to system:admin user but i don't know 
how to get permits to run :

oadm policy add-cluster-role-to-user cluster-admin admin

Do you have any idea to help me ?

thanks in advace.

Comment 9 Jordan Liggitt 2016-01-22 21:22:45 UTC
system:admin credentials live in a client certificate. If you get prompted for a password, that means your $KUBECONFIG file does not contain those credentials. You need to locate the admin.kubeconfig file generated at server start and do
export KUBECONFIG=/path/to/admin.kubeconfig

Then you will be able to run cluster admin commands.

Comment 10 Salvatore Provvidenza 2016-01-25 10:05:44 UTC
thanks, now work fine :D


Note You need to log in before you can comment on or make changes to this bug.